Multiple vulnerabilities have been discovered in ytnef, the worst of which could potentially lead to remote code execution.
Package | net-mail/ytnef on all architectures |
---|---|
Affected versions | < 2.0 |
Unaffected versions | >= 2.0 |
ytnef is a TNEF stream reader for reading winmail.dat files.
The TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a crafted file. The SwapWord function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a heap buffer overflow which can be triggered via a crafted file.
Please review the referenced CVE identifiers for details.
There is no known workaround at this time.
All ytnef users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/ytnef-2.0"
Release date
May 08, 2024
Latest revision
May 08, 2024: 1
Severity
normal
Exploitable
remote
Bugzilla entries